4
Risk analysis Step 3: Estimate likelihood of exploitation – Need to estimate the probability of exploitation of vulnerability – Can use data on frequency of attacks on specific systems – Often an expert analyst can help with this Step 4: Compute the loss in case of an attack – Some are straightforward (e.g. cost of replacing piece of standard hardware), some may be very difficult – If recovery is possible, include also the cost of recovery

5
Risk analysis Step 5: Select new controls – For each vulnerability a suitable control is selected – For example, see the matrix of vulnerabilities and controls in Pfleeger and Pfleeger Step 6: Determine project savings

6
Example The input parameters are as follows: Asset and cost if lost: – Data, cost to reconstruct if lost is £10 M Likelihood of loss of data (exploit) – Probability of it is 5% (from expert knowledge) Control and cost: encrypted data store with replicated off-site data storage using transaction based approach to guarantee backup of each datum change. – The cost of the solution is £1 M Effectiveness of control: – Probability that the control is effective is 70%

7
Example The calculation is as follows (annual data): Expected loss without control: 0.05 × 10M = £0.5 M Expected loss with control: £0.5 M×0.3 = £0.15 M Cost of control and expected loss with control in place: £0.15 M + £1.0 M = £1.15 M Finally the decision: the cost with the control (£1.15 M) is larger than the cost without (£0.5 M) so decide not to use control

8
Example – for discussion (Pfleeger and Pfleeger, Table 8-7) Cost of reconstructing data, if lost: £1 M Likelihood of the loss of the data (per year): 10% Access control software is available which costs £25 K and is effective in 60% of cases Should we buy this software?

9
Example – for discussion An organisation has 100 employees. Each of them uses a laptop that costs £1000. In any one year there are likely to be two employees that loose their laptops and need an urgent replacement to carry out their work. The organisation decides to buy one spare laptop (cost £1000 per year). This replacement is likely to be available and useful in 80% of the cases of a loss (i.e. it may not have specialist software installed which an employee needs immediately, or the replacement laptop may be used by another employee). Carry out each of the steps of a quantitative risk analysis. Carry out a cost/benefit analysis (if possible) and state if the organisation should carry out the proposal.

10
Most parameters are difficult of impossible to evaluate: – amount of loss for a given asset – some valuable items (e.g. a human life) – likelihood that a loss will occur – cost of control – effectiveness of control Why do we need risk analysis, even though the numbers it produces are unreliable?

11
Risk analysis Quantitative risk analysis uses costs and probabilities Qualitative risk analysis uses non-numerical grades, for example – Critical / very important / important / not important – Very likely / likely / unlikely / very unlikely Which type of analysis would you recommends, the quantitative or the qualitative one?

13
Trojans A trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality Example: http://www.softlate.com/http://www.softlate.com/

14
Trojans Unlike viruses, Trojan horses do not replicate themselves Unlike viruses, which are just bad tricks, Trojan horses usually attempt to do something useful for their creator The main use of Trojans is to collect information from your computer This is why they are called spyware

15
Example: W32/Sdbot-MA Each time W32/Sdbot-MA is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer. W32/Sdbot-MA can be instructed to download and install programs on the infected computer, to flood other computers with network packets and retrieve system information including CD-keys for various games. (the information is taken from www.sophos.com)

16
Trojans’ behaviour Simple examples of typical behaviour of a Trojan include: Attempting to send e-mail messages to its creator Opening a TCP/IP port on your computer, to allow its creator to connect to your computer

17
How Trojans collect information Keystroke trackers (also known as keystroke recorders) – record what the user has typed Fake login screens – they emulate login to find out your password

18
How Trojans collect information Garbage trackers – they look in the RAM or on the disk for documents which might be encrypted when they are stored in files 85% of documents edited yesterday can be found in unused sectors of the hard drive

19
Protection against Trojans Before your computer is infected: – Do not download software from untrusted sources When your computer is infected: – Checking logs – Using sandboxes (what is a sandbox?) – Using firewalls (what is a firewall?)

20
Worms A worm is a self-replicating piece of code that spreads via networks and usually doesn’t require human interaction to propagate. Example: Melissa virus from the previous lecture could be also classified as a worm

21
Trapdoors/backdoors A backdoor is a is a secret entry point to a program that otherwise operates normally. It allows attackers to bypass normal security controls, gaining access on the attacker’s own terms. (this is the definition given with respect to one separate program)

22
Backdoors (relative to one program) Here, a password is checked And here, the actual code starts Here, a password is checked And here, the actual code starts Normally, execution starts at the beginning of the program However, a hacker can start the program at some distance from the beginning, and see what happens

23
Trapdoors/backdoors A backdoor is a is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms. (this is the definition given with respect to the whole computer system)

24
Backdoors (relative to a computer) First, check the user’s password After that, allow the user to work with the data or run programs First, check the user’s password After that, allow the user to work with the data or run programs The normal user’s work session starts here a hacker can start a work session bypassing password check

26
Rootkit A rootkit is a set of tools that modify existing operating system software so that an attacker can keep access to and hide on the machine. We can say that rootkits install trojans and backdoors – why?

27
Code in e-mail messages These are simple techniques which an attacker can use; we consider them to prepare for considering more complicated techniques of cross-site scripting It is possible to include executable code (e.g. JavaScript, VBA) in e-mail messages This can be used to collect information about the receiver of the message In more dangerous cases, the code can affect the work of the receiver’s computer

28
Code in e-mail messages Example: spammers check the validity of e-mail addresses using HTML messages (this is referred to as ‘read tracking’, or also look up ‘pixel tracking’)

29
How spammers check the validity of e-mail addresses The idea is as follows. The spammer generates a numbered list of e-mail addresses, for example: 1 aaa@essex.ac.uk 2 bbb@essex.ac.uk ………… 3495 asvern@essex.ac.ukaaa@essex.ac.ukbbb@essex.ac.ukasvern@essex.ac.uk The spammer sends a message to each address, which includes the number of this address in the list as an argument of a script

30
Code in e-mail messages client server The script script.php is executed on the server www.spam.com. This script can record that asvern checks his e-mail, therefore, it is a valid e- mail address www.spam.com The client on which asvern checks his e-mail is lured into asking the server to execute script.php with an argument id=3495

31
For discussion Before December 2013 Google Mail did not show images in messages by default After December 2013, Google caches the images on its servers before showing them to the recipient What are the advantages and disadvantages of this change? Discussed, for example, here: https://threatpost.com/gmail-image-proxy-changes-have-privacy-security-implications/103192 https://threatpost.com/gmail-image-proxy-changes-have-privacy-security-implications/103192

32
Cross-site scripting (XSS) XSS comes in two broad forms, which have these confusing names: – non-permanent, or, reflective – permanent In both forms the attacker uses some means to send some code to a web server so that a victim accesses the page and runs the code thinking it comes from the “trusted” web- server rather than the attacker.

33
XSS: snippets of code Good examples of insecure pages: http://www.insecurelabs.org/task http://www.insecurelabs.org/task ‘Hello world’ in Javascript: alert('hello world') A query passed to the server and executed by the client: http://www.insecurelabs.org/task/Rule1? query= alert('hello world') Instead of this simple script, a code stealing cookies would be used by an attacker

35
Sample exam questions Comment on the news item: “Deniss Calovskis was named by the US as one of the creators of the Gozi virus. Security analyst Graham Cluley said Gozi was a very successful trojan that pilfered huge sums from bank accounts.” Comment on the news item: “The suspected hackers allegedly placed back doors, or code, to allow them to get back into the systems later to steal confidential information.”

36
Sample exam questions Explain exactly what the word ‘cross-site’ stands for in cross-site scripting (XSS). Experts in computer security distinguish between permanent and non-permanent cross-site scripting. Explain exactly what the difference is between permanent and non- permanent cross-site scripting.